HAProxy / HAProxy Enterprise with acme.sh for cert renewal - ALL or NOTHING ? (Also renewal date is weird)

[k8stuff]

I have implemented the acme.sh script to renew HAProxy certificates with an external CA.

Whilst it is working great on both OSS HAProxy and Enterprise HAProxy, I am slightly confused where the renewals come from. Or rather the schedule as such.

You can create both crontab as well as a daemon to run the renewal and that works, BUT, there seem to be still a default renewal date configured of about two months.

So today for example I tested it with a certificate (GeoTrust TLS ECC CA G1)

And when I run a renewal of the cert that expires tomorrow and is only two days old, I am getting

[Fri Apr 12 11:46:37 UTC 2024] Skip, Next renewal time is: 2024-06-10T11:37:22Z
[Fri Apr 12 11:46:37 UTC 2024] Add '--force' to force to renew.

The certificate in question, however, has only a 3 day validity.

So the only way to get around of the 2 two months renewal is to indeed use the --force switch to renew them on your own schedule. That's of course fine but the other issue is that the implementation also seem to renew all certs deployed regardless of validity so if I for example have certs that expire in

3 days
3 weeks
3 months

I have to basically create a scheduled task that runs every three days so ALL certificates will be renewed every three days, which of course also means you get potentially charged every three days for all certs, despite their renewal not being due yet.

And before someone asks, no, we cannot change the 3 days one but also no, it does not ignore certs with longer renewals as acme will force the renewal regardless.

Any idea where the 2 months are configure and why that is ? Minimum term for Public DV certs is 3 days and not 2 months so it kinda makes no sense.

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[k8stuff]

debug 2 here. Please note I have anonymized the domain and acme URL.

[Fri Apr 12 12:13:56 UTC 2024] Lets find script dir.
[Fri Apr 12 12:13:56 UTC 2024] SCRIPT='/usr/local/share/acme.sh/acme.sh'
[Fri Apr 12 12:13:56 UTC 2024] _script='/usr/local/share/acme.sh/acme.sh'
[Fri Apr 12 12:13:56 UTC 2024] _script_home='/usr/local/share/acme.sh'
[Fri Apr 12 12:13:56 UTC 2024] Using config home:/var/lib/acme/.acme.sh
[Fri Apr 12 12:13:56 UTC 2024] LE_WORKING_DIR='/var/lib/acme/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Fri Apr 12 12:13:56 UTC 2024] Running cmd: cron
[Fri Apr 12 12:13:56 UTC 2024] Using config home:/var/lib/acme/.acme.sh
[Fri Apr 12 12:13:56 UTC 2024] default_acme_server
[Fri Apr 12 12:13:56 UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Apr 12 12:13:56 UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Fri Apr 12 12:13:56 UTC 2024] _ACME_SERVER_PATH='v2/DV90'
[Fri Apr 12 12:13:56 UTC 2024] ===Starting cron===
[Fri Apr 12 12:13:56 UTC 2024] Using config home:/var/lib/acme/.acme.sh
[Fri Apr 12 12:13:56 UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Apr 12 12:13:56 UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Fri Apr 12 12:13:56 UTC 2024] _ACME_SERVER_PATH='v2/DV90'
[Fri Apr 12 12:13:56 UTC 2024] _stopRenewOnError
[Fri Apr 12 12:13:56 UTC 2024] _server
[Fri Apr 12 12:13:56 UTC 2024] _set_level='2'
[Fri Apr 12 12:13:56 UTC 2024] di='/var/lib/acme/.acme.sh/xxx.com_ecc/'
[Fri Apr 12 12:13:56 UTC 2024] d='xxx.com_ecc'
[Fri Apr 12 12:13:56 UTC 2024] _renewServer
[Fri Apr 12 12:13:56 UTC 2024] Using config home:/var/lib/acme/.acme.sh
[Fri Apr 12 12:13:56 UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Apr 12 12:13:56 UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Fri Apr 12 12:13:56 UTC 2024] _ACME_SERVER_PATH='v2/DV90'
[Fri Apr 12 12:13:56 UTC 2024] DOMAIN_PATH='/var/lib/acme/.acme.sh/xxx.com_ecc'
[Fri Apr 12 12:13:56 UTC 2024] Renew: 'xxx.com'
[Fri Apr 12 12:13:56 UTC 2024] Le_API='https://xxx/mpki/api/v1/acme/v2/directory'
[Fri Apr 12 12:13:56 UTC 2024] Renew to Le_API=https://xxx/mpki/api/v1/acme/v2/directory
[Fri Apr 12 12:13:56 UTC 2024] initpath again.
[Fri Apr 12 12:13:56 UTC 2024] Using config home:/var/lib/acme/.acme.sh
[Fri Apr 12 12:13:56 UTC 2024] ACME_DIRECTORY='https://xxx/mpki/api/v1/acme/v2/directory'
[Fri Apr 12 12:13:56 UTC 2024] _ACME_SERVER_HOST='xxx.com'
[Fri Apr 12 12:13:56 UTC 2024] _ACME_SERVER_PATH='mpki/api/v1/acme/v2/directory'
[Fri Apr 12 12:13:56 UTC 2024] Skip, Next renewal time is: 2024-06-10T11:47:23Z
[Fri Apr 12 12:13:56 UTC 2024] Add '--force' to force to renew.
[Fri Apr 12 12:13:56 UTC 2024] Return code: 2
[Fri Apr 12 12:13:56 UTC 2024] Skipped xxx.com_ecc
[Fri Apr 12 12:13:56 UTC 2024] _error_level='3'
[Fri Apr 12 12:13:56 UTC 2024] _set_level='2'
[Fri Apr 12 12:13:56 UTC 2024] ===End cron===

[k8stuff]

Here a screenshot showing that the domain indeed is valid for only three days ratner two month

acme@xxx$ echo "show ssl cert /etc/hapee-2.8/certs/xxx.com.pem" |\socat /var/run/hapee-2.8/hapee-lb.sock -
Filename: /etc/hapee-2.8/certs/xxx.com.pem
Status: Used
Serial: xxx
notBefore: Apr 12 00:00:00 2024 GMT
notAfter: Apr 14 23:59:59 2024 GMT
Subject Alternative Name: DNS:xxx.com
Algorithm: EC256
SHA1 FingerPrint: xxx
Subject: /CN=xxx.com
Issuer: /C=US/O=xxx Inc/OU=www.xxx.com/CN=GeoTrust TLS ECC CA G1
Chain Subject: /C=US/O=xxx Inc/OU=www.xxx.com/CN=GeoTrust TLS ECC CA G1
Chain Issuer: /C=US/O=xxx Inc/OU=www.xxx.com/CN=xxx Global Root G3
Chain Subject: /C=US/O=xxx Inc/OU=www.xxx.com/CN=xxx Global Root G3
Chain Issuer: /C=US/O=xxx Inc/OU=wwwxxx.com/CN=xxx Global Root G3
OCSP Response Key: